FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 275771

This article describes how to configure DNS translation as an alternative to hairpin VIP. This technique is used when the destination server is local to the client but the client DNS resolves to an external IP address.


FortiOS all models and firmware.


Creating DNS translation:

DNS translation can be done per policy using a DNS filter or pre-VDOM using the CLI. For example:


config firewall dsntranslation

    edit 1

        set dst (original IP address)

        set netmask

        set src (translated IP address)




Creating DNS translation using the GUI:

  • Create a DNS filter profile. First go to Security Profiles, DNS filter, and create a new filter profile or edit an existing one.



  • Enable DNS translation in the DNS filter profile:



  • Create new:



  • Next, add an external IP address to the Original Destination (, and add an internal IP address under the Translated Destination ( In this case, it is a single IP address, so a netmask of is added to the Network mask.



  • Add the DNS translation profile to the policy that will allow DNS traffic.


See the following article for further details/examples on DNS translation: Technical Tip: How to use the DNS translation feature.




As shown above: resolves to, the internal address of this server is, and the DNS server is which is external to this location. Because the request passes through the ForitGate and matches the DNS translation, the destination address is translated from to Since the 192.168.2.X/24 subnet is in the DMZ, the client will be able to access the server if there is an IPv4 policy from LAN to DMZ.